Domain Spoofing — The Hidden Change Happening Right Before Your Eyes
Have you ever been on a website—but you’re not really on that website? It’s confusing, but a simple tweak to a website's url turns it into a separate website.
Can you spot the difference without looking carefully?
- Instagram.com vs. instgram.com
- Amazon.com vs. amazonn.com
- Prnewswire.com vs. Prnnewswire.com
If you’re not careful, you might find yourself on one of these fake websites. A simple change to the domain suffix from “.com” to “.org” turns it into something different, if that domain suffix is not yet claimed.
Take Pancakeswap’s website, for example. The original domain is “pancakeswap.finance,” with other suffixes like .com, .net, and .info.
Ripping off this website is possible when you buy the same initial domain (pancakeswap) with a suffix like “.org."
Suppose this is successful: What just happened is called domain spoofing, and every day, more than 30,000 spoofing attacks occur worldwide.
In this post, we’ll share all you need to know about domain spoofing, how it affects your business, how to detect it, and ways to prevent it.
What Is Domain Spoofing?
Domain spoofing is a form of cyberattack where an attacker impersonates either the company or its employees to trick people into trusting them. Think of this as using a fake ID.
Here’s an example from Cloudflare.
This can be done via email with a false domain or by duplicating the website as we saw earlier—all in an effort to look legitimate.
The goal of domain spoofing is to be a replica of the legitimate website without the web visitors or email correspondents knowing. The attacker can go as far as replicating the logos, web design, content, etc.
If you fall for this attack, you'll likely be prompted to enter sensitive information, trusting you're sending data to the right website.
4 Ways Domain Spoofing Works
There are several methods—some simple, and others more complicated.
Here are four ways attackers spoof domains:
- URL substitution
- Cross-domain embedding
- Custom browsers
- Human browsers
1. URL Substitution
URL substitution works by substituting the original address of publishers with that of a spoofed domain. This is the easiest and simplest form of spoofing any domain. It's also the easiest to detect due to the vulnerability in the attack setup.
URL substitution is a common technique attackers use in programmatic advertising to deceive advertisers during a PPC auction.
The attacker presents themselves as “forbes.com" for example—meanwhile, it's a spoofed domain. If the advertiser falls for this, they’ll see their ad hosted on the supposed “forbes.com” website, but it’s all fake.
2. Cross-Domain Embedding
Cross-domain embedding is the pairing of two websites, one with low traffic but high-quality content, and another with high traffic but low-quality content.
With these two websites, the attacker then uses a custom iframe to overlay the two websites by masking the low traffic and high-quality content over the high traffic and low-quality content.
This technique is common among publishers with explicit, graphic content (e.g., pornography), fake news, hate speech, malware infection records, etc.
Related: Clickjacking — A Gap In Web Security
3. Custom Browsers
With a custom browser, attackers send bots to assigned websites on the internet and make the URL of these websites appear different. When the ad reads this URL, it reports back to the spoofed domain.
4. Human Browsers
This technique occurs when attackers a user visits a website with an infected or botnet-infused device. The malware on the user's device injects ads onto the web page, making publishers lose their revenue from the ad to the attackers.
Related: What Are Botnets?
Domain Spoofing Examples
An example of domain spoofing is the case of the attack between 2013 and 2015 on Facebook and Google. The attacker, named Rimašauskas, and his associates set up a fake company called Quanta Computer, imitating the genuine hardware supplier below.
They contacted the U.S.-based companies via a spoofed email and presented them with convincing-looking transactions of “duly paid” invoices.
These were with fake wire transfers, contracts, agreements, and lawyers prepared by Rimasauskas and his group. Although this transaction was a success, Rimasauskas was later arrested in March of 2017 and sentenced to 60 months in prison.
According to reports from the United States Attorney for the Southern District of New York, the attacker, Elvadas Rimasauskas, participated in the BEC (Business Email Compromise) scam worth $120m on two US-based Internet companies “(Victim Companies).”
This goes to show that if 2 of the biggest companies in the U.S., and the world, can fall for domain spoofing, no one is safe. This has expanded into programmatic advertising, causing things like ad fraud—meaning your ad is at risk of a spoofing attack.
Related: The Complete Guide to Ad Fraud
A quick look at the Methbot scheme in 2015 showed the massive adoption of domain spoofing in programmatic advertising. The scheme spoofed more than 6,000 premium publishers like Facebook (Now Meta), ESPN, The Economist, etc., in the U.S. and generated as much as $3m—$5m in revenue per day.
Ad fraud detection firm, WhiteOps, called it “the biggest ad fraud scheme to date.” What made this attack so sadly “impressive” is their choice of ad before attacking.
Micheal Horn, managing director of data science at Huge, said "... this attack (Mehtbot) targets lucrative video ads.” That comes as no surprise, considering the watch time for videos has increased in the last two years—demonstrating why spoofing video ads will continue to grow in popularity.
How do we stop domain spoofing? Stopping domain spoofing is not a one-off job, and attackers are getting smarter every day. In order to stop them, we must identify the different types of domain spoofing.
Types of Domain Spoofing
Email spoofing is a type of domain spoofing where attackers impersonate the original address of the real website with an email from the header.
A typical example is these two email addresses:
- Legitimate: email@example.com
- Fake: firstname.lastname@example.org
Users can respond or interact with the fake email address without careful observation and, unfortunately, have scam transactions with the attackers. In most cases, attackers spoof emails while running a phishing attack to lure unsuspecting victims into their scam.
A good example is the email spoofing attack on the San Francisco-based homelessness charity organization, Treasure Island.
The attackers stole $650,000 by infiltrating one of the bookkeeper's email systems by posing as an employee of the supposed organization. According to Ms. Williams in her conversation with the Wall Street Journal, “it wasn’t like they were using any weird language or using terminology that you wouldn’t use in these circumstances.”
And this becomes possible due to the loophole in SMTP (Simple Mail Transfer Protocol) used for email. The SMTP lacks domain verification that allows attackers to exploit the domain and send emails on their behalf.
However, recent authentication and validation protocols like DMARC (Domain-based Message Authentication Reporting and Conformance), DKIM (DomainKeys Identified Mail), and SPF (Sender Policy Framework) are now in place to prove to mail services and ISPs that senders are authorized domain wonders.
Website spoofing involves maliciously creating an exact copy of the legitimate website.
A spoofed website serves different purposes. The major one is tricking users into thinking the website they're visiting is the actual website.
Once users visit these websites, they're prompted to enter either personal information or interact with the website like it's a legitimate website. The banking industry is a common victim of this type of attack. In the first quarter of 2021, clients of several Dutch banks faced a massive domain spoofing attack.
The attackers invited bank clients to scan a QR code that would unblock their mobile banking. But, unbeknownst to these clients, the QR code was infected with a malware that steals clients' information resulting in massive data theft.
Other cases of unapproved wire transactions were also reported across different dutch banks.
How To Prevent Domain Spoofing
Preventing domain spoofing involves users and companies having their emails and websites spoofed.
As a User
Observe The URL You Interact With
Eight out of 10 times, you won’t inspect the URL of the website you're on— and that's fine.
But there are preventive methods you need to have in place when you're on a website where you have to input personal information and transactions. Be on the lookout for discrepancies in the URL, site design, use of language, etc.
Only Interact With Secure Websites
Secure websites are websites with SSL certificates, and almost all legitimate websites will have one. A good way to identify a secure website is with the lock icon that represents the https in the domain URL.
For an unsecured website, your browser will notify you with a warning like this in the address bar.
As a Company
Use A Public Notice
A common practice with financial institutions is to publicly notify users not to reply to unsolicited emails from fraudsters posing as bank employees. This notice is mostly communicated via email and on the homepage of the involved institution.
An example is the Pancakeswap example you saw earlier.
Warnings like this let users double-check the domain URL to ensure authenticity.
Use a Domain Spoofing Protection And Prevention Provider
Domain protection and prevention providers are your safest bet. With these providers, you can protect your brand name, secure potential data leaks or theft and loss of funds.
How Edgemesh Helps You Combat Domain Spoofing
We understand the potential damage domain spoofing can cause to your brand, especially advertisers and publishers. In recent reports from Financial Times, domain spoofing is increasingly becoming a norm among fraudsters committing ad fraud, bringing in $1.3 million monthly to the perpetrators.
At Edgemesh, we help you set up an end-to-end security system that protects and prevents your domain from any spoofing attack. These systems help monitor all interactions within and outside your website to look for scammers potentially creating replicas of your company’s domains.